summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2001-02-14 01:25:23 +1100
committerDamien Miller <djm@mindrot.org>2001-02-14 01:25:23 +1100
commit92ddb7d6f0d6a1942e27f75883d29dc0ea99223f (patch)
tree505a90486e59c722c4226a7c597b449f4b651529
parent116b6bdda81d6647cc2742280c15b3f42ab3dd24 (diff)
- (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
<cmadams@hiwaay.net> with a little modification and KNF.
-rw-r--r--ChangeLog4
-rw-r--r--Makefile.in4
-rw-r--r--auth-sia.c96
-rw-r--r--auth-sia.h8
-rw-r--r--auth1.c18
-rw-r--r--auth2.c19
-rw-r--r--session.c20
7 files changed, 116 insertions, 53 deletions
diff --git a/ChangeLog b/ChangeLog
index 115d7aebc..6d07d0105 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@
6 from Nalin Dahyabhai <nalin@redhat.com> 6 from Nalin Dahyabhai <nalin@redhat.com>
7 - (bal) Missing function prototype in bsd-snprintf.c patch by 7 - (bal) Missing function prototype in bsd-snprintf.c patch by
8 Mark Miller <markm@swoon.net> 8 Mark Miller <markm@swoon.net>
9 - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
10 <cmadams@hiwaay.net> with a little modification and KNF.
9 11
1020010213 1220010213
11 - (djm) Only test -S potential EGD sockets if they exist and are readable. 13 - (djm) Only test -S potential EGD sockets if they exist and are readable.
@@ -3922,4 +3924,4 @@
3922 - Wrote replacements for strlcpy and mkdtemp 3924 - Wrote replacements for strlcpy and mkdtemp
3923 - Released 1.0pre1 3925 - Released 1.0pre1
3924 3926
3925$Id: ChangeLog,v 1.757 2001/02/13 14:05:59 mouring Exp $ 3927$Id: ChangeLog,v 1.758 2001/02/13 14:25:23 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index f64e25504..f9c48d29a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.150 2001/02/09 13:40:03 djm Exp $ 1# $Id: Makefile.in,v 1.151 2001/02/13 14:25:23 djm Exp $
2 2
3prefix=@prefix@ 3prefix=@prefix@
4exec_prefix=@exec_prefix@ 4exec_prefix=@exec_prefix@
@@ -48,7 +48,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels
48 48
49SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o 49SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
50 50
51SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o 51SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
52 52
53TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 53TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
54CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 54CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0
diff --git a/auth-sia.c b/auth-sia.c
new file mode 100644
index 000000000..6fece555d
--- /dev/null
+++ b/auth-sia.c
@@ -0,0 +1,96 @@
1#include "includes.h"
2
3#ifdef HAVE_OSF_SIA
4#include "ssh.h"
5#include "auth-sia.h"
6#include "log.h"
7#include "servconf.h"
8#include "canohost.h"
9
10#include <sia.h>
11#include <siad.h>
12#include <pwd.h>
13#include <signal.h>
14#include <setjmp.h>
15#include <sys/resource.h>
16#include <unistd.h>
17#include <string.h>
18
19extern ServerOptions options;
20extern int saved_argc;
21extern char **saved_argv;
22
23extern int errno;
24
25int
26auth_sia_password(char *user, char *pass)
27{
28 int ret;
29 SIAENTITY *ent = NULL;
30 const char *host;
31
32 host = get_canonical_hostname(options.reverse_mapping_check);
33
34 if (!user || !pass)
35 return(0);
36
37 if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,
38 NULL) != SIASUCCESS)
39 return(0);
40
41 if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
42 error("couldn't authenticate %s from %s", user, host);
43 if (ret & SIASTOP)
44 sia_ses_release(&ent);
45 return(0);
46 }
47
48 sia_ses_release(&ent);
49
50 return(1);
51}
52
53void
54session_setup_sia(char *user, char *tty)
55{
56 int ret;
57 struct passwd *pw;
58 SIAENTITY *ent = NULL;
59 const char *host;
60
61 host = get_canonical_hostname (options.reverse_mapping_check);
62
63 if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
64 NULL) != SIASUCCESS)
65 fatal("sia_ses_init failed");
66
67 if ((pw = getpwnam(user)) == NULL) {
68 sia_ses_release(&ent);
69 fatal("getpwnam(%s) failed: %s", user, strerror(errno));
70 }
71 if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
72 sia_ses_release(&ent);
73 fatal("sia_make_entity_pwd failed");
74 }
75
76 ent->authtype = SIA_A_NONE;
77 if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
78 fatal("couldn't establish session for %s from %s", user,
79 host);
80
81 if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
82 sia_ses_release(&ent);
83 fatal("setpriority failed: %s", strerror (errno));
84 }
85
86 if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
87 fatal("couldn't launch session for %s from %s", user, host);
88
89 sia_ses_release(&ent);
90
91 if (setreuid(geteuid(), geteuid()) < 0)
92 fatal("setreuid failed: %s", strerror (errno));
93}
94
95#endif /* HAVE_OSF_SIA */
96
diff --git a/auth-sia.h b/auth-sia.h
new file mode 100644
index 000000000..eaa933322
--- /dev/null
+++ b/auth-sia.h
@@ -0,0 +1,8 @@
1#include "includes.h"
2
3#ifdef HAVE_OSF_SIA
4
5int auth_sia_password(char *user, char *pass);
6void session_setup_sia(char *user, char *tty);
7
8#endif /* HAVE_OSF_SIA */
diff --git a/auth1.c b/auth1.c
index a7693df59..31034262b 100644
--- a/auth1.c
+++ b/auth1.c
@@ -12,11 +12,6 @@
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $"); 13RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $");
14 14
15#ifdef HAVE_OSF_SIA
16# include <sia.h>
17# include <siad.h>
18#endif
19
20#include "xmalloc.h" 15#include "xmalloc.h"
21#include "rsa.h" 16#include "rsa.h"
22#include "ssh1.h" 17#include "ssh1.h"
@@ -36,10 +31,6 @@ extern char *forced_command;
36#ifdef WITH_AIXAUTHENTICATE 31#ifdef WITH_AIXAUTHENTICATE
37extern char *aixloginmsg; 32extern char *aixloginmsg;
38#endif /* WITH_AIXAUTHENTICATE */ 33#endif /* WITH_AIXAUTHENTICATE */
39#ifdef HAVE_OSF_SIA
40extern int saved_argc;
41extern char **saved_argv;
42#endif /* HAVE_OSF_SIA */
43 34
44/* 35/*
45 * convert ssh auth msg type into description 36 * convert ssh auth msg type into description
@@ -98,6 +89,8 @@ do_authloop(Authctxt *authctxt)
98#endif 89#endif
99#ifdef USE_PAM 90#ifdef USE_PAM
100 auth_pam_password(pw, "")) { 91 auth_pam_password(pw, "")) {
92#elif defined(HAVE_OSF_SIA)
93 0) {
101#else 94#else
102 auth_password(pw, "")) { 95 auth_password(pw, "")) {
103#endif 96#endif
@@ -265,11 +258,8 @@ do_authloop(Authctxt *authctxt)
265 authenticated = auth_pam_password(pw, password); 258 authenticated = auth_pam_password(pw, password);
266#elif defined(HAVE_OSF_SIA) 259#elif defined(HAVE_OSF_SIA)
267 /* Do SIA auth with password */ 260 /* Do SIA auth with password */
268 if (sia_validate_user(NULL, saved_argc, saved_argv, 261 authenticated = auth_sia_password(authctxt->user,
269 get_canonical_hostname(options.reverse_mapping_check), 262 password);
270 authctxt->user?authctxt->user:"NOUSER", NULL,
271 0, NULL, password) == SIASUCCESS)
272 authenticated = 1;
273#else /* !USE_PAM && !HAVE_OSF_SIA */ 263#else /* !USE_PAM && !HAVE_OSF_SIA */
274 /* Try authentication with the password. */ 264 /* Try authentication with the password. */
275 authenticated = auth_password(pw, password); 265 authenticated = auth_password(pw, password);
diff --git a/auth2.c b/auth2.c
index c887283a3..b74920578 100644
--- a/auth2.c
+++ b/auth2.c
@@ -25,11 +25,6 @@
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $"); 26RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $");
27 27
28#ifdef HAVE_OSF_SIA
29# include <sia.h>
30# include <siad.h>
31#endif
32
33#include <openssl/evp.h> 28#include <openssl/evp.h>
34 29
35#include "ssh2.h" 30#include "ssh2.h"
@@ -61,10 +56,6 @@ extern int session_id2_len;
61#ifdef WITH_AIXAUTHENTICATE 56#ifdef WITH_AIXAUTHENTICATE
62extern char *aixloginmsg; 57extern char *aixloginmsg;
63#endif 58#endif
64#ifdef HAVE_OSF_SIA
65extern int saved_argc;
66extern char **saved_argv;
67#endif
68 59
69static Authctxt *x_authctxt = NULL; 60static Authctxt *x_authctxt = NULL;
70static int one = 1; 61static int one = 1;
@@ -346,10 +337,7 @@ userauth_none(Authctxt *authctxt)
346#ifdef USE_PAM 337#ifdef USE_PAM
347 return auth_pam_password(authctxt->pw, ""); 338 return auth_pam_password(authctxt->pw, "");
348#elif defined(HAVE_OSF_SIA) 339#elif defined(HAVE_OSF_SIA)
349 return (sia_validate_user(NULL, saved_argc, saved_argv, 340 return 0;
350 get_canonical_hostname(options.reverse_mapping_check),
351 authctxt->user?authctxt->user:"NOUSER", NULL, 0,
352 NULL, "") == SIASUCCESS);
353#else /* !HAVE_OSF_SIA && !USE_PAM */ 341#else /* !HAVE_OSF_SIA && !USE_PAM */
354 return auth_password(authctxt->pw, ""); 342 return auth_password(authctxt->pw, "");
355#endif /* USE_PAM */ 343#endif /* USE_PAM */
@@ -374,10 +362,7 @@ userauth_passwd(Authctxt *authctxt)
374#ifdef USE_PAM 362#ifdef USE_PAM
375 auth_pam_password(authctxt->pw, password) == 1) 363 auth_pam_password(authctxt->pw, password) == 1)
376#elif defined(HAVE_OSF_SIA) 364#elif defined(HAVE_OSF_SIA)
377 sia_validate_user(NULL, saved_argc, saved_argv, 365 auth_sia_password(authctxt->user, password) == 1)
378 get_canonical_hostname(options.reverse_mapping_check),
379 authctxt->user?authctxt->user:"NOUSER", NULL, 0, NULL,
380 password) == SIASUCCESS)
381#else /* !USE_PAM && !HAVE_OSF_SIA */ 366#else /* !USE_PAM && !HAVE_OSF_SIA */
382 auth_password(authctxt->pw, password) == 1) 367 auth_password(authctxt->pw, password) == 1)
383#endif /* USE_PAM */ 368#endif /* USE_PAM */
diff --git a/session.c b/session.c
index 7319df3d1..a9b4d87a3 100644
--- a/session.c
+++ b/session.c
@@ -72,11 +72,6 @@ RCSID("$OpenBSD: session.c,v 1.55 2001/02/08 19:30:52 itojun Exp $");
72#include <usersec.h> 72#include <usersec.h>
73#endif 73#endif
74 74
75#ifdef HAVE_OSF_SIA
76# include <sia.h>
77# include <siad.h>
78#endif
79
80#ifdef HAVE_CYGWIN 75#ifdef HAVE_CYGWIN
81#include <windows.h> 76#include <windows.h>
82#include <sys/cygwin.h> 77#include <sys/cygwin.h>
@@ -1051,21 +1046,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
1051 switch, so we let login(1) to this for us. */ 1046 switch, so we let login(1) to this for us. */
1052 if (!options.use_login) { 1047 if (!options.use_login) {
1053#ifdef HAVE_OSF_SIA 1048#ifdef HAVE_OSF_SIA
1054 extern char **saved_argv;
1055 extern int saved_argc;
1056 char *host = get_canonical_hostname(options.reverse_mapping_check);
1057
1058 if (sia_become_user(NULL, saved_argc, saved_argv, host,
1059 pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
1060 SIASUCCESS) {
1061 perror("sia_become_user");
1062 exit(1);
1063 }
1064 if (setreuid(geteuid(), geteuid()) < 0) {
1065 perror("setreuid");
1066 exit(1);
1067 }
1068#else /* HAVE_OSF_SIA */ 1049#else /* HAVE_OSF_SIA */
1050 session_setup_sia(pw->pw_name, ttyname);
1069#ifdef HAVE_CYGWIN 1051#ifdef HAVE_CYGWIN
1070 if (is_winnt) { 1052 if (is_winnt) {
1071#else 1053#else